ISP's DNS server used instead of opnsense DNS

[REH]

Hello everyone,

When I go to ipleak.net or similar site, it is always my ISP's DNS server that is shown, even though I have specified Quad9 (9.9.9.9) under system -> settings -> general. (see attached screenshot)

How do I get OPNsense to use 9.9.9.9?

[Dslgeek]

2 options:

1) use Dnsmasq instead of unbound
2) unbound dns > query forwarding > check "use system nameservers"

[REH]

2 options:

1) use Dnsmasq instead of unbound
2) unbound dns > query forwarding > check "use system nameservers"

Option 2 worked, but now I'm leaking my internal ip adresse in the WebRTC detection.

EDIT: Seems to only be on my android phone, so maybe not an OPNsense issue.

[Bunch]

2 options:

1) use Dnsmasq instead of unbound
2) unbound dns > query forwarding > check "use system nameservers"

Option 2 worked, but now I'm leaking my internal ip adresse in the WebRTC detection.

EDIT: Seems to only be on my android phone, so maybe not an OPNsense issue.

Try adding a Port forward rule to the LAN interface, to redirect all package with destination port with 53 to 127.0.0.1:53

[REH]

I've tried to make a Port forward rule (see attached screenshot), but I'm not sure I'm doing it right.

It doesn't make a difference on my phone, the lan ip is still shown.

[Bunch]

I've tried to make a Port forward rule (see attached screenshot), but I'm not sure I'm doing it right.

It doesn't make a difference on my phone, the lan ip is still shown.

Change the destination to any

Firewall: NAT: Port Forward, Create new rule
Interface: Home (assume your wireless access point is in Home interface)
TCP/IP Version: IPv4
Protocol: UDP
Destination: any
Destination port range: DNS to DNS
Redirect target IP: 127.0.0.1
Redirect target port: 53

If that still doesn't work, your phone is probably using DNS over TLS or DNS over HTTP.
Which cannot be redirected.

[REH]

I've tried to make a Port forward rule (see attached screenshot), but I'm not sure I'm doing it right.

It doesn't make a difference on my phone, the lan ip is still shown.

Change the destination to any

Firewall: NAT: Port Forward, Create new rule
Interface: Home (assume your wireless access point is in Home interface)
TCP/IP Version: IPv4
Protocol: UDP
Destination: any
Destination port range: DNS to DNS
Redirect target IP: 127.0.0.1
Redirect target port: 53

If that still doesn't work, your phone is probably using DNS over TLS or DNS over HTTP.
Which cannot be redirected.

Didn't work, must be something phone specific as you say.
Thank you for trying to help.

[RamSense]

you could also consider to install Zenarmor and block DNS over HTTPS and DNS over TLS

[opnfwb]

If you're using Quad9, their main benefit is that they fully support DNS over TLS to give you encrypted DNS and also take advantage of their malware blocking. By default, just specifying their DNS server in general settings will not use any of this benefit.

To do this, you need to leave the General System Settings DNS entry blank, and also ensure that you leave the box unchecked to "allow DNS to be overridden by DHCP on WAN".

Then go to Services/Unbound/DNS over TLS and input the following as shown in the screenshot. You'll now have Quad9 DNS used by both OPNsense and all LAN-side clients that are using OPNsense for their resolution. OPNsense will pass internal DNS queries using DoT encryption to Quad9.

[REH]

If you're using Quad9, their main benefit is that they fully support DNS over TLS to give you encrypted DNS and also take advantage of their malware blocking. By default, just specifying their DNS server in general settings will not use any of this benefit.

Thank you, Worked like a charm.